News

SMART Advice on JASON (and PCAST)

As architect for SMART Platforms and community lead for the Blue Button REST API, I’m defining open APIs for health data that spark innovation in patient care, consumer empowerment, clinical research. So I was very pleased last month at an invitation to join a newly-formed Federal Advisory Committee called the JASON Task Force, helping ONC respond to the JASON Report (“A Robust Health Data Infrastructure”).

We’re charged with making recommendations to ONC about how to proceed toward building practical, broad-reaching interoperability in Meaningful Use Stage 3 and beyond. Our committee is still meeting and forming recommendations throughout the summer and into the fall, but I wanted to share my initial thoughts on the scope of the problem; where we are today; and how we can make real progress as we move forward.

Continue reading “SMART Advice on JASON (and PCAST)”

It’s About Time: Open APIs Finally Burst onto Healthcare’s Sluggish Scene


Nuviun Blog, June 9, 2014 — Sue Montgomery
In the midst of the struggles that we face with interoperability, efforts that support open API use may well hold the keys to the HIT Kingdom…
READ MORE >

Advisory Committee Kickoff a Success

The SMART Advisory Committee had a high-energy kickoff meeting on May 15. Below are some scenes from the day, which featured presentations by Joshua Mandel and Clayton Christensen as well as demonstrations of apps to be deployed in the near future.
Continue reading “Advisory Committee Kickoff a Success”

Forbes Adds to Advisory Committee News Coverage

Today Forbes published Who’s Who Of Health Care Join Forces For SMART Technology, the latest in recent news coverage of the SMART Advisory Committee launch.

AC-inthenews_5

Other pieces include:
Continue reading “Forbes Adds to Advisory Committee News Coverage”

Aneesh Chopra’s New Book Points to Launch of SMART Project

Aneesh Chopra, America’s first Chief Technology Officer and member of the SMART Platforms Advisory Committee, has published a new book called Innovative State: How New Technologies Can Transform Government. The SMART Project’s kickoff ITdotHealth meeting in 2009 is among the formative events he describes in Chapter 4, “Opening the Playbook.” Here he is seen with Ken Mandl at the Harvard Book Store, where he discussed the book on May 21. A video of the talk is provided by WGBH.

Ken-and-Aneesh-post

Introducing the SMART Advisory Committee

Our new advisory committee, made up of member organizations with strategic interest in transforming how the healthcare enterprise uses data, will play a critical role in guiding the SMART Platform toward broad adoption and use.

Learn more

SMART Advisory Committee

Disturbing state of EHR Security Vulnerability Reporting

Last week I reported on a set of security vulnerabilities that affected multiple EHR vendors and other Health IT systems.

I initially discovered the vulnerability in a single Web-based EHR system and successfully reported it directly to that vendor.

But my subsequent journey into the world of EHR vulnerability reporting left me deeply concerned that our EHR vendors do not have mature reporting systems in place. Patient health data are among the most personal, sensitive aspects of our online presence. They offer an increasingly high-value target for identity theft, blackmail, and ransom. It’s time for EHR vendors to take a page from the playbook of consumer tech companies by instituting the same kinds of security vulnerability reporting programs that are ubiquitous on the consumer Web.

HL7 and EHR Vendors must address security reporting

I’ll lead with the key message here, and provide supporting evidence below: HL7 and EHR vendors need to institute security vulnerability reporting programs!
Continue reading “Disturbing state of EHR Security Vulnerability Reporting”

Case study: security vulnerabilities in C-CDA display

For background, see my previous blog post describing the details of three security vulnerabilities in C-CDA Display using HL7’s CDA.xsl.

Last month I discovered a set of security vulnerabilities in a well-known commercial EHR product that I’ll pseudonymously call “Friendly Web EHR”. Here’s the story…

The story: discovery and reporting

I was poking around my account in Friendly Web EHR, examining MU2 features like C-CDA display and Direct messaging. I used the “document upload” feature to upload some C-CDAs from SMART’s Sample C-CDA Repository. At the time, I was curious about the user experience. (Specifically, I was bemoaning how clunky the standard XSLT-based C-CDA rendering looks.) I wondered how the C-CDA viewer was embedded into the EHR. Was it by direct DOM insertion? Inline frames? I opened up Chrome Developer Tools to take a look.
Continue reading “Case study: security vulnerabilities in C-CDA display”

Security vulnerabilities in C-CDA Display using CDA.xsl

TL;DR: If you’re using XSLT stylesheets to render C-CDAs in your EHR, make sure you understand the security implications. Otherwise you could be vulnerable to a data breach.

This blog post describes security issues that have affected well-known 2014 Certified EHRs.. Please note that I’ve already shared this information privately with the Web-based EHR vendors I could identify, and I’ve waited until they were able to investigate the issues and (if needed) repair their systems.

Last month I observed a set of security vulnerabilities in XSLT “stylesheets” used to display externally-supplied C-CDA documents in many EHRs. To be specific: the CDA.xsl stylesheet provided by HL7 (which has been adopted by many EHR vendors) can leave EHRs vulnerable to attacks by maliciously-composed documents.
Continue reading “Security vulnerabilities in C-CDA Display using CDA.xsl”

HIMSS14: Health IT’s Next Boom Cycle

HealthCare_InformationWeek_Logo

InformationWeek Healthcare, February 25, 2014 — Mark Braunstein
We’ve seen health informatics booms and busts before — will this one be different?
I’ve been attending HIMSS for decades, and in my view, the exhibit hall is the place to get a true pulse of the industry and the field in general. Over the years we’ve seen booms and busts. I remember HIMSS in my hometown of Atlanta during the heyday of health information exchange in the 90s, when the regional phone companies (remember them?) had huge exhibits touting their entry into the health informatics space…

Read more